On Feb 9, 4:54am, Luke Mewburn wrote:
}
} A while ago I was examining the source to various PAM modules
} learning how to write a custom one that changes PAM_USER
} (which is supported).
} Part of this research resulted in my submission of:
} PR 30608 sshd doesn't honour PAM modules changing PAM_USER
}
} Another part of my research leads me to believe that pam_krb5 isn't
} correctly dealing with the user name being changed by itself _internally_.
}
} See around line 207:
}
} /* Verify the local user exists (AFTER getting the password) */
} if (strchr(user, '@')) {
} /* get a local account name for this principal */
} krbret = krb5_aname_to_localname(pam_context, princ,
} sizeof(luser), luser);
} // [...]
} retval = pam_set_item(pamh, PAM_USER, luser);
} // [...]
} }
} if (getpwnam_r(user, // [...]
}
} AFAICT, the getpwnam_r() may attempt to lookup a local username
} of the form "user/foo@bar.com", which will fail, since krb5
It does appear that this can happen.
} is a PAM authentication service not an nsswitch name service,
} so the getpwnam_r() of "user/foo@bar.com" will fail.
Whether it fails would depend on what nsswitch name service
modules are installed and what they do.
} Or have I missed something?
The possibility that an nsswitch name service module that can
handle "user/foo@bar.com" may be installed. Whether or not this is the
right thing to do, I have no idea since I don't know much about
kerberos. If it is the wrong thing, then it appears that the
getpwnam_r line should be something like:
getpwnam_r(*luser ? luser : user, [...] . Of course, luser would have
to be initialised.
}-- End of excerpt from Luke Mewburn